Code source de geonature.core.gn_permissions.decorators

"""
Decorators to protects routes with permissions
"""

from functools import wraps
from warnings import warn

from flask import request, g
from werkzeug.exceptions import Unauthorized, Forbidden

from geonature.core.gn_permissions.tools import get_permissions, get_scopes_by_action


# use login_required from flask_login
from flask_login import login_required


[docs] def _forbidden_message(action, module_code, object_code): message = f"User {g.current_user.id_role} has no permissions to {action}" if module_code: message += f" in {module_code}" if object_code: message += f" on {object_code}" return message
[docs] def check_cruved_scope( action, module_code=None, object_code=None, *, get_scope=False, ): """ Decorator to protect routes with SCOPE CRUVED The decorator first check if the user is connected and then return the max user SCOPE permission for the action in parameter The decorator manages herited CRUVED from user's group and parent module (GeoNature) Parameters ---------- action : str the requested action of the route <'C', 'R', 'U', 'V', 'E', 'D'> module_code : str, optional the code of the module (gn_commons.t_modules) (e.g. 'OCCTAX') for the requested permission, by default None object_code : str, optional the code of the object (gn_permissions.t_object) for the requested permission (e.g. 'PERMISSIONS'), by default None get_scope : bool, optional does the decorator should add the scope to view kwargs, by default False """ def _check_cruved_scope(view_func): @wraps(view_func) def decorated_view(*args, **kwargs): if not g.current_user.is_authenticated: raise Unauthorized scope = get_scopes_by_action(module_code=module_code, object_code=object_code)[action] if not scope: raise Forbidden(description=_forbidden_message(action, module_code, object_code)) if get_scope: kwargs["scope"] = scope return view_func(*args, **kwargs) return decorated_view return _check_cruved_scope
[docs] def permissions_required( action, module_code=None, object_code=None, ): def _permission_required(view_func): @wraps(view_func) def decorated_view(*args, **kwargs): if not g.current_user.is_authenticated: raise Unauthorized permissions = get_permissions(action, module_code=module_code, object_code=object_code) if not permissions: raise Forbidden(description=_forbidden_message(action, module_code, object_code)) kwargs["permissions"] = permissions return view_func(*args, **kwargs) return decorated_view return _permission_required